CN111490986A - Test system and method for intrusion prevention equipment - Google Patents

Test system and method for intrusion prevention equipment Download PDF

Info

Publication number
CN111490986A
CN111490986A CN202010261927.6A CN202010261927A CN111490986A CN 111490986 A CN111490986 A CN 111490986A CN 202010261927 A CN202010261927 A CN 202010261927A CN 111490986 A CN111490986 A CN 111490986A
Authority
CN
China
Prior art keywords
firewall
port
test
gre
intrusion prevention
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010261927.6A
Other languages
Chinese (zh)
Other versions
CN111490986B (en
Inventor
徐硕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202010261927.6A priority Critical patent/CN111490986B/en
Publication of CN111490986A publication Critical patent/CN111490986A/en
Application granted granted Critical
Publication of CN111490986B publication Critical patent/CN111490986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The utility model provides a test system for intrusion prevention equipment, including first test equipment, second test equipment, first firewall, second firewall and IPS equipment, wherein first test equipment is used for sending test data message to first firewall; the second testing equipment is used for receiving the testing data message from the first testing equipment through the second firewall; a first firewall having a gateway-configured first port connected to the sending port of the first test device and a second port for creating a GRE tunnel; a second firewall having a gateway-configured first port connected to a send port of a second test device and a second port for creating a GRE tunnel with the second port of the first firewall; and the intrusion prevention equipment is arranged between the second port of the first firewall and the second port of the first firewall, receives the test message data output by the second port of the first firewall and forwards the legal test message data to the second port of the second firewall.

Description

Test system and method for intrusion prevention equipment
Technical Field
The present disclosure relates to the field of computer technology and communication technology, and in particular, to a test system for intrusion prevention devices.
Background
An IPS (Intrusion Prevention System) is a computer network security facility, and is an explanation of Antivirus Programs (Antivirus Programs) and firewalls (Packet filters, Application gateways). The IPS is a computer network security device capable of monitoring network data transmission behaviors of a network or network devices, and can immediately interrupt, adjust or isolate abnormal or harmful network data transmission behaviors.
At present, when an intrusion prevention system IPS is tested, the IPS is usually directly connected in series in a network formed by two switches, and a message is played back at two ends of the switch or a test equipment is used to send a flow.
GRE (Generic Routing encapsulation protocol) is a tunneling protocol, and its basic function is to implement a tunneling function, and two remote networks connected through a tunnel are as if they are directly connected, and GRE simulates a direct connection link between two remote networks, so that the effect of direct connection between networks is achieved.
When testing the processing capability of the IPS for GRE (Generic Routing encapsulation protocol) packets, it is necessary to use software to construct a packet with a GRE header, forward the packet to the IPS through a switch, and then test the processing capability of the IPS device for traffic with the GRE header.
The method for testing the processing capability of the IPS on the GRE message has many defects because the message with the GRE header needs to be constructed by using software, for example, the type of the encapsulated data packet in the GRE flow constructed by the software is single, the IPS is not tested comprehensively, and the test result is inaccurate; the attack in the packaged data packet is relatively complex in structure, the structure is not easy to operate by using software, the test complexity is increased, and the test efficiency is reduced; the flow sent by software is small, the requirement of IPS performance test cannot be met, and the test result is inaccurate; the failure condition of the flow can not be accurately observed in real time by the sent message; and the efficiency of manually constructing the message is low.
Therefore, a new testing system and method for intrusion prevention devices is needed, which can improve the efficiency and accuracy of IPS testing.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of the above, the present disclosure provides a new test system and method for intrusion prevention devices. To at least some extent improve the efficiency and accuracy of the test.
Additional features and advantages of the invention will be set forth in the detailed description which follows, or may be learned by practice of the invention.
The utility model provides a test system for intrusion prevention equipment, including first test equipment, second test equipment, first firewall, second firewall and IPS equipment, wherein first test equipment is used for sending test data message to first firewall; the second testing equipment is used for receiving the testing data message from the first testing equipment through the second firewall; a first firewall having a gateway-configured first port connected to the sending port of the first test device and a second port for creating a GRE tunnel; a second firewall having a gateway-configured first port connected to a send port of a second test device and a second port for creating a GRE tunnel with the second port of the first firewall; and the intrusion prevention equipment is arranged between the second port of the first firewall and the second port of the first firewall, receives the test message data output by the second port of the first firewall and forwards the legal test message data to the second port of the second firewall.
A testing system for an intrusion prevention device according to the present disclosure, wherein the first firewall is configured to create a tunnel interface and the tunnel interface is configured for routing to a second testing device, and the second firewall is configured to create a tunnel interface and the tunnel interface is configured for routing to the first testing device, thereby forming a GRE tunnel between the second port of the first firewall and the second port of the second firewall.
The testing system for the intrusion prevention equipment is characterized in that the first firewall is provided with a GRE encapsulation component and is used for encapsulating a testing data message from the first testing equipment and destined to the second testing equipment into a GRE packet by adopting a GRE protocol, and the second firewall is provided with a GRE encapsulation component and is used for decapsulating the GRE packet from the first firewall and sending the decapsulated testing data message to the second testing equipment.
The test system for the intrusion prevention apparatus according to the present disclosure, wherein the first port is an ethernet port and the second port is a gigabit ethernet port.
A test system for an intrusion prevention device according to the present disclosure, wherein the intrusion prevention device has an IPV4 protection policy component and/or an IPV6 protection policy component.
According to the test system for the intrusion prevention equipment, the gateway address configured by the receiving and sending port of the first test equipment is the address of the first port of the first firewall, and the gateway address configured by the receiving and sending port of the second test equipment is the address of the first port of the second firewall.
According to the test system for the intrusion prevention device, the test data message sent by the first test device comprises one or a combination of application layer background data of multiple protocols, attack and virus data with background data, double stack background data and attack data containing IPV4 and IPv6 traffic, and massive application layer background data and abnormal data.
According to another aspect of the present disclosure, there is provided configuring a first testing device such that a gateway address of a sending port of the first testing device is an address of a first port of a first firewall, thereby sending a test data packet to the first firewall through the first testing device; configuring second testing equipment, enabling the gateway address of a receiving and sending port of the second testing equipment to be the address of a first port of a second firewall, and receiving a testing data message from the first testing equipment through the second testing equipment; configuring a first firewall to enable a first port of the first firewall to be provided with a gateway and a second port of the first firewall to be used for creating a GRE tunnel, so that the first firewall encapsulates a test data message from first test equipment into a GRE packet by adopting a GRE encapsulation protocol; configuring a second firewall to enable a first port of the second firewall to be provided with a gateway and a second port of the second firewall to be used for creating a GRE tunnel, so that the second firewall decapsulates the received GRE packet by adopting a GRE encapsulation protocol to obtain a test data message from the first test equipment; and configuring the intrusion prevention device to forward the validated GRE packet from the second port of the first firewall to the second port of the second firewall.
A testing method for an intrusion prevention device according to the present disclosure, wherein the configuring of the first firewall includes creating a tunnel interface and causing the tunnel interface to be routed to the second testing device, and the configuring of the second firewall includes creating a tunnel interface and causing the tunnel interface to be routed to the first testing device, thereby forming a GRE tunnel between the second port of the first firewall and the second port of the second firewall.
According to the test method for the intrusion prevention device, the first port is an Ethernet port, and the second port is a gigabit Ethernet port.
The testing method for the intrusion prevention device according to the present disclosure, wherein the configuring the intrusion prevention device includes configuring an IPV4 protection policy and/or an IPV6 protection policy for the intrusion prevention device.
A testing method for intrusion prevention devices according to the present disclosure, wherein said configuring the first testing device comprises enabling the first testing device to send one or a combination of application layer background data of multiple protocols, attack and virus data with background data, dual stack background data and attack data including IPV4 and IPV6 traffic, and massive application layer background data and anomaly data.
The method comprises the steps of receiving a test data message through a first firewall; packaging the test data message into a GRE packet through the first firewall, and adding a GRE packet header in the GRE packet; and the GRE packet flow is sent to a second firewall through the first firewall based on the GRE packet header, so that the intrusion defense equipment tests the GRE packet. The GRE packet header is automatically added to the message based on the constructed GRE tunnel, so that the message with the GRE packet header is prevented from being constructed by software, the test is carried out by utilizing various types of flow sent by test equipment, the diversity of the GRE message is increased, and the efficiency and the accuracy of GRE message test are improved.
In the embodiment of the invention, a stability test environment is provided by the set of GRE test system, the processing capacity of different equipment on GRE flow can be verified, and the message comprising the GRE head can be prevented from being constructed by software, so that the processing capacity of the intrusion defense equipment on the GRE flow and the attack can be tested by utilizing the existing background flow and the attack message, the performance and the stability of the intrusion defense equipment under relatively complex load can be verified, the manual input of constructing the message is reduced, the test efficiency is improved, the performance and the stability of the intrusion defense equipment can be tested, and the test accuracy is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
fig. 1 is a frame diagram of a system for testing GRE messages shown in the related art;
FIG. 2 is an architecture diagram of a GRE tunnel, shown in accordance with an exemplary embodiment;
FIG. 3 is an architecture diagram of a GRE test system shown in accordance with an exemplary embodiment;
FIG. 4 is a flow diagram illustrating a GRE message testing method in accordance with an exemplary embodiment;
FIG. 5 is a flow diagram illustrating a GRE message testing method in accordance with another exemplary embodiment;
FIG. 6 is a schematic structural diagram illustrating a GRE message testing apparatus according to an exemplary embodiment;
fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations or operations have not been shown or described in detail to avoid obscuring aspects of the invention.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
Fig. 1 is a frame diagram of a system for testing a GRE packet shown in the related art, as shown in fig. 1, an IPS is connected in series in a network formed by a switch 1 and a switch 2, the switch 1 and the switch 2 are respectively connected to a first terminal and a second terminal, the first terminal is provided with software (program) capable of constructing a packet with a GRE header, the first terminal is used for sending a packet, such as a client, to provide a playback packet or a test flow, and the second terminal is used for receiving a packet, such as a server. The constructed message with the GRE header is forwarded to the IPS through the switch 1, and the processing capability of the IPS on the message with the GRE header is tested. It should be noted that the network may further include a switch 3 connected to the IPS, and a server connected to the switch, for performing unified management on the entire system.
According to the flow testing method with the GRE header, the message with the GRE header needs to be constructed through software, so that the testing efficiency is low and the accuracy is low.
The embodiment of the invention provides a GRE message testing method of a generic routing encapsulation protocol, which utilizes the existing common attack and flow to reduce the time spent by manually constructing the message, increase the type of the GRE flow and enrich the composition of the testing flow. And the IPS equipment detects and comprehensively tests the GRE attack and protection capability by utilizing various different protocol types and attacks. The testing device sends larger complex flow, verifies the device state and stability of the device when the GRE flow is larger, and improves the testing efficiency and the testing accuracy.
The following describes in detail the GRE packet testing method proposed in the embodiment of the present invention with reference to specific embodiments.
FIG. 2 is an architecture diagram illustrating a GRE tunnel in accordance with an exemplary embodiment. As shown in fig. 2, a GRE tunnel may include: the firewall system includes a first firewall and a second firewall, where the first firewall and the second firewall refer to devices having VPN functions, including but not limited to a firewall and a switch, and the first firewall is illustrated as firewall 1 in fig. 2, and the second firewall is illustrated as firewall 2.
It should be noted that the GRE tunnel may further include a first network (network 1 in fig. 3) for sending traffic, such as a client, and a second network (network 2 in fig. 3) for receiving traffic, such as a server. It should be noted that the first network and the second network may be configured in opposite ways, for example, the first network is used for receiving traffic and the second network is used for sending traffic. In the embodiment of the present invention, a first network sends traffic and a second network receives traffic as an example.
According to the embodiment of the present invention, when a GRE tunnel is established based on a first firewall and a second firewall, it is necessary to first establish an Eth1/1 interface (first port) (address:
10.0.0.0/16) and connects it to the first network 1, the port Eth1/1 (first port) of firewall 2 (second firewall) (address: 11.0.0.0/16) and connects it to the second network 2. The gige0_1 interface (second port) (address: 12.0.0.1/24) of the firewall 1 and the gige0_1 interface (second port) (address: 12.0.0.2/24) of the firewall 2 are directly connected, and the two ports are used as actual physical interfaces of the built GRE tunnel. Then, the GRE tunnel interface tunnel0 (address: 1.1.1.1/24) and the encapsulation mode using GRE are configured on the firewall 1, and the GRE tunnel interface tunnel1 (address: 1.1.1.2/24) and the encapsulation mode using GRE are configured on the firewall 2. The route to the second network 2 via the GRE tunnel interface is configured on the firewall 1, and the route to the network 1 via the GRE tunnel interface is configured on the firewall 2.
According to the above steps, a virtual direct link, i.e. a GRE tunnel, is created between the firewall 1 (first firewall) and the firewall 2 (second firewall), when the firewall 1 receives a data packet whose destination address is the second network 2, the original data packet is encapsulated into the GRE protocol, and a GRE packet header is added, where the source address in the GRE packet header is the tunnel home address, i.e. the tunnel0 interface of the firewall 1, and the destination address is the tunnel peer address, i.e. the tunnel1 interface of the firewall 2. When the firewall 2 receives the encapsulated GRE data packet, decapsulates the packet header of the data packet, determines the destination address, if the destination address is the address of the tunnel interface of the firewall 2, the packet reaches the end point of the GRE tunnel (firewall 2), continues decapsulating the encapsulated GRE data packet, and finally sends the decapsulated flow to the second network 2, thereby implementing the GRE tunnel between the firewall 1 and the firewall 2, and completing the communication between the first network 1 and the second network 2.
It should be noted that, if the firewall 2 decapsulates the packet header of the encapsulated GRE packet after receiving the packet, and determines that the destination address is not the address of its tunnel interface, the firewall 2 re-encapsulates the GRE packet header, and then forwards the GRE packet to another device based on the GRE tunnel between the device and another device, so that the encapsulated GRE packet reaches the destination address of its GRE packet header. In the embodiment of the invention, the GRE tunnel can be built only by using the firewall 1 and the firewall 2, and the intrusion prevention equipment is arranged in the tunnel, so that the processing capability of the intrusion prevention equipment on the GRE message can be tested, and therefore, other GRE tunnels do not need to be built.
It should be noted that the GRE tunnel may further include a switch connected to the firewall 1 and the firewall 2, and a server connected to the switch for performing unified management on the entire system.
In the embodiment of the invention, after the GRE tunnel is built, a GRE test system can be built on the basis to test the processing capability of the GRE message of the intrusion prevention equipment.
FIG. 3 is an architecture diagram illustrating a GRE testing system in accordance with an exemplary embodiment. As shown in fig. 3, the intrusion prevention apparatus may be connected in series to a GRE tunnel constructed by the firewall 1 and the firewall 2, and the first network 1 and the second network 2 may be replaced with two sending ports T0 and T1 of the first testing apparatus and the second testing apparatus.
According to the embodiment of the invention, the tested device is an intrusion prevention device (IPS), interfaces at two ends of the IPS are respectively connected with gige0_1 (address: 12.0.0.1/24) of a firewall 1 and gige0_1 (address: 12.0.0.2/24) of a firewall 2, all packets flowing through the IPS are encapsulated GRE packets at the time, the IPS is configured with protection strategies of IPV4 and IPV6, and protection operation is executed through an IPV4 protection component or an IPV6 protection component for testing the GRE packets flowing through the IPS.
It should be noted that, by replacing the intrusion prevention device with another device, the processing capability of the other device for the GRE message can be tested.
In the embodiment of the invention, a receiving and sending port T0 of testing equipment is connected with a port Eth1/1 of a firewall 1, a receiving and sending port T1 of the testing equipment is connected with a port Eth1/1 of a firewall 2, a gateway for configuring an IP address of the receiving and sending port T0 of the testing equipment is an address (10.0.0.0/16) of a port Eth1/1 of the firewall 1, a gateway for configuring an IP address of a receiving and sending port T1 of the testing equipment is an address (11.0.0.0/16) of a port Eth1/1 of the firewall 2, and the receiving and sending port T0 and the receiving and sending port T1 of the testing equipment are communicated through a GRE tunnel environment.
According to the embodiment of the invention, the test equipment receiving and sending port T0 can be configured to serve as a client, the receiving and sending port T1 serves as a server, and test traffic is sent between the client and the server.
According to the embodiment of the invention, the receiving and sending port T0 can send the application layer background flow containing a plurality of protocols, and can verify the processing capability of the IPS device for the mixed flow of GRE encapsulation. The T0 can also send attacks and viruses with background traffic, and can verify the detection and protection capability of the IPS device on GRE encapsulation attacks and viruses. The port T0 can also send the dual stack background flow and attack flow containing IPV4 and IPv6 flow, and can verify the detection and processing capability of the IPS device to the dual stack flow and attack. The receiving and sending port T0 can also send a large amount of application layer background flow and abnormal traffic for a long time, and the traffic is sent from the receiving and sending port T0 to the receiving and sending port T1 of the testing equipment, so that the stability of the IPS equipment in processing GRE traffic is verified.
It should be noted that, the GRE test system may further include a switch connected to the IPS, and a server connected to the switch, for performing unified management on the entire system.
In the embodiment of the invention, a stability test environment is provided by the set of GRE test system, the processing capacity of different equipment on GRE flow can be verified, and the message comprising the GRE head can be prevented from being constructed by software, so that the processing capacity of the intrusion defense equipment on the GRE flow and the attack can be tested by utilizing the existing background flow and the attack message, the performance and the stability of the intrusion defense equipment under relatively complex load can be verified, the manual input of constructing the message is reduced, the test efficiency is improved, the performance and the stability of the intrusion defense equipment can be tested, and the test accuracy is improved.
The following describes in detail a GRE message testing method in an embodiment of the present invention with reference to the GRE testing system in fig. 3. It should be noted that the method may be executed by using a first firewall in the GRE test system, but the present invention is not limited thereto, and for example, a second firewall may also be executed.
Fig. 4 is a flow diagram illustrating a GRE message testing method in accordance with an exemplary embodiment. As shown in fig. 4, the method may include, but is not limited to, the following steps:
in S410, a test data packet is received through a first firewall.
According to the embodiment of the invention, the test data message from the first network (the receiving and sending port T0 of the test equipment) can be received by the first firewall (firewall 1), and the test data message comprises a data packet with the target address of the second network (the receiving and sending port T1 of the test equipment).
It should be noted that the first network may be the test device sending/receiving port T0, and may be configured as a client, and the second network may be the test device sending/receiving port T1, and may be configured as a server.
It should be noted that the first firewall is configured with various routes of packets, and for the test data packet (the packet addressed to the second network), the route is configured to be sent through the GRE tunnel between the first firewall and the second firewall.
According to the embodiment of the invention, the test data message comprises: at least one of application-level background traffic, attacks and viruses with background traffic, and dual-stack background traffic and attack traffic.
It should be noted that, in the embodiment of the present invention, a large number of test data messages may be continuously sent through the sending/receiving port T0 of the test device, so as to test the stability of the intrusion prevention device when processing the GRE traffic.
In S420, the test data packet is encapsulated into a GRE packet through the first firewall, and a GRE packet header is added to the GRE packet.
According to the embodiment of the invention, a GRE tunnel interface (tunnel 0, address: 1.1.1/24) and a GRE encapsulation mode are configured on the first firewall, and after the test data message is received, the test data message can be encapsulated into a GRE packet based on the GRE encapsulation mode.
According to the embodiment of the invention, the test data message is encapsulated into the GRE packet, and the GRE packet header is added into the GRE packet. The GRE header may include: the GRE destination address, which includes the address of the GRE tunnel interface of the second firewall, i.e. tunnel1 port (address: 1.1.1.2/24) of firewall 2 in FIG. 3.
According to the embodiment of the present invention, the GRE packet header may further include: the GRE source address, which includes the address of the GRE tunnel interface of the first firewall, i.e., tunnel0 port (address: 1.1.1.1/24) of firewall 1 in FIG. 3.
In S430, the GRE packet is sent to a second firewall through the first firewall based on the GRE packet header, so that the intrusion prevention device tests the GRE packet.
According to the embodiment of the invention, the intrusion prevention device is connected in series with the GRE tunnel constructed by the firewall 1 and the firewall 2, and the interfaces at the two ends of the tunnel to be tested are respectively connected with the gige0_1 (address:
12.0.0.1/24), and gige0_1 (address: 12.0.0.2/24) when encapsulated GRE packets are flowing through the intrusion prevention device.
According to the embodiment of the invention, the intrusion prevention device can be an IPS, and the IPS is provided with protection strategies of IPV4 and IPV6 and is used for testing GRE data packets flowing through.
In the embodiment of the invention, a test data message is received through a first firewall; through the first
The VPN equipment encapsulates the test data message into a GRE packet, and adds a GRE packet header in the GRE packet; and the GRE packet flow is sent to a second firewall through the first firewall based on the GRE packet header, so that the intrusion defense equipment tests the GRE packet. The GRE packet header is automatically added to the message based on the constructed GRE tunnel, so that the message with the GRE packet header is prevented from being constructed by software, the test is carried out by utilizing various types of flow sent by test equipment, the diversity of the GRE message is increased, and the efficiency and the accuracy of GRE message test are improved.
Another GRE message testing method in the embodiment of the present invention is described in detail below with reference to the GRE testing system in fig. 3. It should be noted that the method may be implemented in a GRE test system.
FIG. 5 is a flow diagram illustrating a GRE message testing method in accordance with another exemplary embodiment. As shown in fig. 5, the method may include, but is not limited to, the following steps:
in S510, the first firewall receives the test data packet.
According to an embodiment of the present invention, the first network (T0 side, which may be configured as a client) of the testing device in fig. 3 sends the test data packet, where the test data packet includes a data packet addressed to the second network (T1 side, which may be configured as a server) of the testing device.
In S520, the first firewall encapsulates the test data packet into a GRE packet, and adds a GRE packet header to the GRE packet.
According to the embodiment of the invention, the GRE packet header comprises the source address and the destination address of the GRE tunnel, wherein the source address is tunnel0 (address: 1.1.1.1/24) on the firewall 1, and the destination address is tunnel1 (address: 1.1.1.2/24) on the firewall 2.
In S530, the first firewall sends the GRE packet flow through the intrusion prevention device to a second firewall based on the GRE packet header.
According to the embodiment of the invention, after receiving the GRE packet, the second firewall decapsulates the GRE packet header and acquires the decapsulated GRE destination address. When the destination address of the GRE is determined to be the address (1.1.1.2/24) of the GRE tunnel interface (tunnel1) of the second firewall, the GRE packet is decapsulated and then sent to the second network (T1 side) of the testing equipment.
According to the embodiment of the invention, if the second determination result shows that the destination address of the GRE is not the address (1.1.1.2/24) of the GRE tunnel interface (tunnel1) of the second firewall, the second firewall re-encapsulates the GRE packet header and forwards the GRE packet to other equipment based on the GRE tunnel between the GRE packet header and other equipment, so that the encapsulated GRE packet reaches the destination address of the GRE packet header.
It should be noted that, in the embodiment of the present invention, since the intrusion prevention device is connected in series to the GRE tunnels established by the first firewall and the second firewall, no matter whether the GRE destination address is the address (1.1.1.2/24) of the GRE tunnel interface (tunnel1) of the second firewall, the GRE encapsulated message also flows through the intrusion prevention device, and the intrusion prevention device can test the GRE message.
In S540, the intrusion prevention device tests the GRE packet.
According to the embodiment of the invention, the intrusion prevention equipment is provided with the protection strategies of the IPV4 and the IPV6, and the protection strategies are used for testing the GRE data packets flowing through.
According to the embodiment of the invention, the test data message can be an application layer background flow containing various protocols, can verify the processing capacity of the IPS equipment on the GRE encapsulated mixed flow, can also be an attack and a virus with background flow, can verify the detection and protection capacity of the IPS equipment on the GRE encapsulated attack and the virus, can also be a double stack background flow and an attack flow containing IPV4 and IPv6 flows, and can verify the detection and processing capacity of the IPS equipment on the double stack flow and the attack.
In the embodiment of the present invention, the testing device may send a large amount of the above-mentioned test data packets, such as application layer background flow and abnormal traffic, for a long time, so that the traffic is sent from the sending/receiving port T0 to the sending/receiving port T1 of the testing device, thereby verifying the stability of the IPS device when processing GRE traffic.
In the embodiment of the invention, a stability test environment is provided by the set of GRE test system, the processing capacity of different equipment on GRE flow can be verified, and the message comprising the GRE head can be prevented from being constructed by software, so that the processing capacity of the intrusion defense equipment on the GRE flow and the attack can be tested by utilizing the existing background flow and the attack message, the performance and the stability of the intrusion defense equipment under relatively complex load can be verified, the manual input of constructing the message is reduced, the test efficiency is improved, the performance and the stability of the intrusion defense equipment can be tested, and the test accuracy is improved.
It should be clearly understood that the present disclosure describes how to make and use particular examples, but the principles of the present disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. In the following description of the system, the same parts as those of the foregoing method will not be described again.
Fig. 6 is a schematic structural diagram illustrating a GRE message testing apparatus according to an exemplary embodiment, where the apparatus 600 includes: a receiving module 610, an encapsulating module 620 and a transmitting module 630.
The receiving module 610 is configured to receive the test data packet through the first firewall.
An encapsulating module 620, configured to encapsulate the test data packet into a GRE packet through the first firewall, and add a GRE packet header to the GRE packet.
A sending module 630, configured to send the GRE packet to a second firewall through the first firewall based on the GRE packet header, so that the intrusion prevention device tests the GRE packet.
The first fireproof wall is provided with a GRE packaging mode; the encapsulation module 620 is configured to encapsulate the test data packet into a GRE packet based on the GRE encapsulation method.
Wherein, the GRE packet header includes: a GRE destination address comprising an address of a GRE tunnel interface of the second firewall.
Wherein, the GRE header also includes: a GRE source address comprising an address of a GRE tunnel interface of the first firewall.
The receiving module 610 is configured to receive a test data packet from a first network through a first firewall; the test data message includes a data packet having a destination address of the second network.
Wherein, the test data message includes: at least one of application-level background traffic, attacks and viruses with background traffic, and dual-stack background traffic and attack traffic.
In the embodiment of the invention, a test data message is received through a first firewall; packaging the test data message into a GRE packet through the first firewall, and adding a GRE packet header in the GRE packet; and the GRE packet flow is sent to a second firewall through the first firewall based on the GRE packet header, so that the intrusion defense equipment tests the GRE packet. The GRE packet header is automatically added to the message based on the constructed GRE tunnel, so that the message with the GRE packet header is prevented from being constructed by software, the test is carried out by utilizing various types of flow sent by test equipment, the diversity of the GRE message is increased, and the efficiency and the accuracy of GRE message test are improved. Finally, the test result of the tested intrusion prevention device can be obtained by comparing the test data message sent by the first test device with the test data message received by the second test device. How to evaluate the performance of the tested intrusion prevention devices is not a problem that the present disclosure needs to address and is therefore not described in the present disclosure.
Fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment. It should be noted that the electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the use range of the embodiment of the present application.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
To the I/O interface 705, AN input section 706 including a keyboard, a mouse, and the like, AN output section 707 including a keyboard such as a Cathode Ray Tube (CRT), a liquid crystal display (L CD), and the like, a speaker, and the like, a storage section 708 including a hard disk and the like, and a communication section 709 including a network interface card such as a L AN card, a modem, and the like, the communication section 709 performs communication processing via a network such as the internet, a drive 710 is also connected to the I/O interface 705 as necessary, a removable medium 711 such as a magnetic disk, AN optical disk, a magneto-optical disk, a semiconductor memory, and the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program executes the above-described functions defined in the terminal of the present application when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware. The modules described may also be provided in a processor, where the name of a module in some cases does not constitute a limitation of the module itself.
Exemplary embodiments of the present invention are specifically illustrated and described above. It is to be understood that the invention is not limited to the precise construction, arrangements, or instrumentalities described herein; on the contrary, the invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (12)

1. A test system for intrusion prevention equipment comprises first test equipment, second test equipment, a first firewall, a second firewall and an IPS (intrusion prevention System) device, wherein the first test equipment, the second test equipment, the first firewall, the second firewall and the IPS device are arranged in parallel
The first test equipment is used for sending a test data message to the first firewall;
the second testing equipment is used for receiving the testing data message from the first testing equipment through the second firewall;
a first firewall having a gateway-configured first port connected to the sending port of the first test device and a second port for creating a GRE tunnel;
a second firewall having a gateway-configured first port connected to a send port of a second test device and a second port for creating a GRE tunnel with the second port of the first firewall; and
and the intrusion prevention equipment is arranged between the second port of the first firewall and the second port of the first firewall, receives the test message data output by the second port of the first firewall and forwards the legal test message data to the second port of the second firewall.
2. The test system for an intrusion prevention device as recited in claim 1, wherein the first firewall is configured with a tunnel interface created and configured for routing to a second test device and the second firewall is configured with a tunnel interface created and configured for routing to the first test device, whereby a GRE tunnel is formed between the second port of the first firewall and the second port of the second firewall.
3. The test system for intrusion prevention devices as recited in claim 2, wherein the first firewall has a GRE encapsulation component for encapsulating test data messages from the first test device destined for the second test device into GRE packets using a GRE protocol, the second firewall having a GRE encapsulation component for decapsulating the GRE packets from the first firewall and sending the decapsulated test data messages to the second test device.
4. The test system for intrusion prevention devices according to claim 1, wherein the first port is an ethernet port and the second port is a gigabit ethernet port.
5. The test system for intrusion prevention devices according to claim 1, wherein the intrusion prevention device has an IPV4 protection policy component and/or an IPV6 protection policy component.
6. The test system for intrusion prevention devices according to claim 1, wherein the configured gateway address of the send/receive port of the first test device is an address of a first port of a first firewall and the configured gateway address of the send/receive port of the second test device is an address of a first port of a second firewall.
7. The test system for intrusion prevention devices according to claim 1, wherein the test data messages sent by the first test device include one or a combination of application layer background data of multiple protocols, attack and virus data with background data, dual stack background data and attack data including IPV4 and IPV6 traffic, and massive application layer background data and anomaly data.
8. A testing method for intrusion prevention devices, comprising:
configuring first test equipment, enabling the gateway address of a receiving and sending port of the first test equipment to be the address of a first port of a first firewall, and sending a test data message to the first firewall through the first test equipment;
configuring second testing equipment, enabling the gateway address of a receiving and sending port of the second testing equipment to be the address of a first port of a second firewall, and receiving a testing data message from the first testing equipment through the second testing equipment;
configuring a first firewall to enable a first port of the first firewall to be provided with a gateway and a second port of the first firewall to be used for creating a GRE tunnel, so that the first firewall encapsulates a test data message from first test equipment into a GRE packet by adopting a GRE encapsulation protocol;
configuring a second firewall to enable a first port of the second firewall to be provided with a gateway and a second port of the second firewall to be used for creating a GRE tunnel, so that the second firewall decapsulates the received GRE packet by adopting a GRE encapsulation protocol to obtain a test data message from the first test equipment; and
the intrusion prevention device is configured to forward the validated GRE packet from the second port of the first firewall to the second port of the second firewall.
9. The test method for an intrusion prevention device as recited in claim 8, wherein the configuring the first firewall includes creating a tunnel interface and causing the tunnel interface to be routed to the second test device and the configuring the second firewall includes creating a tunnel interface and causing the tunnel interface to be routed to the first test device, thereby forming a GRE tunnel between the second port of the first firewall and the second port of the second firewall.
10. The test method for an intrusion prevention device according to claim 8, wherein the first port is an ethernet port and the second port is a gigabit ethernet port.
11. The testing method for intrusion prevention devices according to claim 8, wherein the configuring of intrusion prevention devices comprises configuring IPV4 protection policies and/or IPV6 protection policies for intrusion prevention devices.
12. The testing method for intrusion prevention devices as recited in claim 8, wherein the configuring the first testing device includes enabling the first testing device to send one or a combination of application layer background data of multiple protocols, attack and virus data with background data, dual stack background data and attack data including IPV4 and IPV6 traffic, and massive application layer background data and anomaly data.
CN202010261927.6A 2020-04-05 2020-04-05 Test system and method for intrusion prevention equipment Active CN111490986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010261927.6A CN111490986B (en) 2020-04-05 2020-04-05 Test system and method for intrusion prevention equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010261927.6A CN111490986B (en) 2020-04-05 2020-04-05 Test system and method for intrusion prevention equipment

Publications (2)

Publication Number Publication Date
CN111490986A true CN111490986A (en) 2020-08-04
CN111490986B CN111490986B (en) 2022-05-27

Family

ID=71794615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010261927.6A Active CN111490986B (en) 2020-04-05 2020-04-05 Test system and method for intrusion prevention equipment

Country Status (1)

Country Link
CN (1) CN111490986B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277476A (en) * 2022-07-24 2022-11-01 杭州迪普科技股份有限公司 Automatic testing method and device for intrusion prevention equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101617498A (en) * 2006-12-19 2009-12-30 Ktf电信公司 The intrusion protection equipment and the intrusion protection method that are used for Point to Point Tunnel Protocol
CN102916881A (en) * 2012-06-29 2013-02-06 杭州华三通信技术有限公司 Message transmission method and route equipment
CN103973555A (en) * 2013-01-29 2014-08-06 华为技术有限公司 GRE protocol tunnel building method, communication device and communication system
WO2018162176A1 (en) * 2017-03-09 2018-09-13 Siemens Aktiengesellschaft Method and devices for transmitting data between a first network and a second network of a rail vehicle
CN109600293A (en) * 2018-12-24 2019-04-09 青岛海信电子设备股份有限公司 A kind of gre tunneling method for building up and system
CN110932907A (en) * 2019-12-03 2020-03-27 北京大学 Linux container network configuration method and network system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101617498A (en) * 2006-12-19 2009-12-30 Ktf电信公司 The intrusion protection equipment and the intrusion protection method that are used for Point to Point Tunnel Protocol
CN102916881A (en) * 2012-06-29 2013-02-06 杭州华三通信技术有限公司 Message transmission method and route equipment
CN103973555A (en) * 2013-01-29 2014-08-06 华为技术有限公司 GRE protocol tunnel building method, communication device and communication system
WO2018162176A1 (en) * 2017-03-09 2018-09-13 Siemens Aktiengesellschaft Method and devices for transmitting data between a first network and a second network of a rail vehicle
CN109600293A (en) * 2018-12-24 2019-04-09 青岛海信电子设备股份有限公司 A kind of gre tunneling method for building up and system
CN110932907A (en) * 2019-12-03 2020-03-27 北京大学 Linux container network configuration method and network system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吴兆雄等: "基于GRE隧道技术的互联网访问气象局域网方法", 《广东气象》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277476A (en) * 2022-07-24 2022-11-01 杭州迪普科技股份有限公司 Automatic testing method and device for intrusion prevention equipment

Also Published As

Publication number Publication date
CN111490986B (en) 2022-05-27

Similar Documents

Publication Publication Date Title
US20210243276A1 (en) Systems and methods for protecting an identity in network communications
US10862732B2 (en) Enhanced network virtualization using metadata in encapsulation header
US9584546B2 (en) Providing services to virtual overlay network traffic
CN108293020B (en) Service forwarding unique to infrastructure
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
US9344349B2 (en) Tracing network packets by a cluster of network controllers
Urias et al. Supervisory Command and Data Acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed
US7710867B1 (en) System and method for managing traffic to a probe
Othman et al. Implementation and performance analysis of SDN firewall on POX controller
US8750135B2 (en) Communication node, method, and maintenance point for handling encapsulated data frames
Van Leeuwen et al. Performing cyber security analysis using a live, virtual, and constructive (LVC) testbed
US20080192641A1 (en) Automatic discovery of blocking access-list ID and match statements in a network
Feldmann et al. NetCo: Reliable routing with unreliable routers
Liu et al. Don't Yank My Chain: Auditable {NF} Service Chaining
CN111490986B (en) Test system and method for intrusion prevention equipment
Wu et al. On-demand service function chain based on ipv6 segment routing
Salazar-Chacón et al. OpenSDN Southbound Traffic Characterization: Proof-of-Concept Virtualized SDN-Infrastructure
US10735292B1 (en) Monitoring interconnections between network devices of different network entities
Singh Implementing Cisco Networking Solutions: Configure, implement, and manage complex network designs
CN114930776A (en) Traffic mirroring in a hybrid network environment
CN112953809B (en) System and method for generating multilayer VLAN flow
Zhang et al. A Novel Software Defined Networking Framework for Cloud Environments
CN113904867B (en) Flow processing method and system for VXLAN two-layer networking
US20230164073A1 (en) Systems and Methods for Tunneling Network Traffic to Apply Network Functions
Iqbal Towards secure implementations of SDN based firewall

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant